How the Cloud Killed the Firewall

Cloud and hybrid environments, mobile access, and online applications have made it all but obsolete, experts say, and data center operators should be looking at replacing their firewalls with more granular security technologies.

Applications and data used to live in data centers and be delivered from there to employees who were themselves on a corporate network.

"Even when off-site, they were VPNing into the network," said Michael Beesley, CTO at Skyport Systems.

That's not true anymore. Today, applications can live in cloud and hybrid environments or be delivered via websites by external services providers. Employees and customers access them, often via the web, from wherever they happen to be.

That means the firewall can't see what's going on, where the connections are coming from, or where they're going, while the IP addresses change all the time or are obscured by content delivery networks like CloudFlare.

"The firewall becomes blind," he said.

Meanwhile, the traffic that used to be distributed among many different ports is now all concentrated on port 80 and 443.

"I think we're approaching a tipping point where out of necessity enterprises are going to adopt a different approach with regard to how they secure themselves," Beesley said. "The empirical data is that in a hybrid environment the firewalls are not doing their job. Infrastructure needs to evolve to a zero-trust environment rather than trying to secure it from a networking point of view."

"The browser is what killed the firewall," said Ryan Spanier, director of research at Kudelski Security. "Because you had clients asking for things on the internet, and the firewall wouldn't stop a thing."

With encrypted traffic, all the firewall knows is the source and the destination of the traffic, and now that everything is in the cloud, even that doesn't tell you much. "There's not a lot of room for the firewall anymore," he said.

According to a survey released this month by network security vendor Ixia, 88 percent of respondents said they experienced a business-related issue from a lack of visibility into public cloud data traffic.

Finally, there’s the transformation of application development. Enterprises have moved from running applications on dedicated servers to virtual machines to containers, each time dramatically increasing the number of endpoints that need to be protected while simultaneously accelerating the rate at which new ones are spun up and shut down.

That has made the environment exponentially more complex, where traditional firewalls have a hard time keeping up with all the changes.

"It is dying, and it will be dead soon," said Amir Sharif, co-founder at San Jose, California-based application security firm Aporeto.

Now the movement is to serverless applications, with microservices, and the pace of change is about to jump by another order of magnitude, he said.

"I'm constantly computing what I can allow and can't allow, and it becomes very expensive," he said. "Those nodes are coming and going. The firewall cannot keep up."

Sharif said he regularly hears from customers about how much of a problem this is.

"One of our customers on Wall Street mentioned that every time he rolls out an application he has to update at least 14,000 different firewall rules," he said.

To keep up, security solutions need to be tightly coupled with applications and enable security to come with containers or microservices as they’re spun up.

Another option is to build whitelists into the containers so that only the applications that are supposed to be there are allowed to run and can only connect to the outside services they are allowed to connect to.

The biggest example of this approach is Google's BeyondCorp strategy. Google's director of information security Heather Adkins did a presentation on it at this year's RSA conference. It was titled "How Google Protects Its Corporate Security Perimeter without Firewalls."

According to a recent FireMon survey, 90 percent of respondents said firewalls either remain as critical to security as they’ve ever been or have become more critical than ever.

However, the nature of the firewall will change, said FireMon director Josh Mayfield. It will change to an approach focused less on rigid rules and more on policies about specific assets.

"When the hard perimeter dissolves, you must rely on policy to be the invisible perimeter," he said. "Firewalls of the future will have awareness of the asset, its attributes, its connection points, and so on."

The security policies will follow the assets and workloads as they move from place to place, he said, which means companies will no longer have to keep rewriting their firewall rules.